The Inspector General says the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA) could improve the effectiveness of their coordination efforts before, during, and after power outages.
Hurricanes Irma and Maria in 2017 left the Commonwealth of Puerto Rico with power outages throughout the island, some of which lasted nearly a year. Additionally, powerlines that touched a tree triggered some of California’s recent catastrophic wildfires, which caused millions of dollars in damage. And in February 2021, Texas experienced widespread power grid failures because frigid temperatures increased demand while straining the State’s ability to produce electricity. These multiple disasters in recent years have exposed challenges and concerns the Energy Sector faces in preventing and responding to incidents. With climate change making such disasters increasingly likely, the Government Accountability Office (GAO) previously called for Energy Sector efforts to be mutually reinforcing and recommended establishing compatible Energy Sector policies, procedures, and other means to operate across agency boundaries.
The Office of Inspector General (OIG) audit, which focused on the electricity subsector, found however that CISA and FEMA have not focused on these areas because they have been working on other priorities for their respective missions.
Individually, CISA and FEMA perform several activities that support the Energy Sector. However, they have not established a comprehensive and collaborative process to share information and coordinate with each other, DHS components, or Federal stakeholders. CISA acts as the nationwide coordinator and facilitator of information related to critical infrastructure security and resilience. Meanwhile, FEMA acts as the nationwide coordinator of Federal disaster response and recovery. These two roles run parallel within the Energy Sector and during Federal disaster response operations, making a comprehensive strategy to coordinate and prioritize their Energy Sector activities crucial.
OIG found that CISA and FEMA can improve the effectiveness of their coordination efforts before, during, and after power outages by implementing GAO’s leading practices and other key mechanisms for collaboration. “When agencies work together,” OIG’s report notes, “they can define and agree on their respective roles and responsibilities and common terminology. Frequent communication can improve agencies’ collaboration and prevent misunderstandings.”
In addition, OIG said that agencies can strengthen their commitment to work collaboratively by articulating their agreements in formal documents, such as memorandums of understanding, and that these written agreements are most effective when they are regularly updated and monitored. The watchdog’s audit found several policies and procedures were outdated and contained conflicting terminology.
OIG identified several areas — the Regional Resiliency Assessment Program (RRAP), the Threat and Hazard Identification and Risk Assessment (THIRA), and mitigation grants — in which CISA and FEMA could enhance coordination to mutually reinforce Energy Sector activities.
To effectively to reduce the likelihood of power outages and, in the case of an incident, to restore and stabilize infrastructure-related services in affected areas, OIG is recommending that the CISA Director and FEMA Administrator develop and document a comprehensive and adaptive framework ensuring collaboration between DHS components in support of Energy Sector activities, including procedures to periodically monitor and update DHS Energy Sector activities to ensure progress toward achieving common goals and outcomes; and identify relevant participants and eliminate challenges to data sharing.
DHS concurred and said CISA’s Stakeholder Engagement Division will formally document the Energy Sector Liaison’s roles and responsibilities and associated Sector Risk Management Agency coordination mechanisms. The Energy Sector Liaison will work with the Sector Risk Management Agency to identify relevant partners with a “need to know” for sharing risk information. The process will also specify coordination between the Energy Sector Liaison and FEMA’s National Preparedness Directorate to ensure FEMA’s input is coordinated. The estimated completion date is March 31, 2023.
OIG also recommended that the CISA Director and FEMA Administrator should each review and update key guidance in support of Energy Sector and disaster response activities to ensure it is current, relevant, and consistent. Additionally, OIG recommended that CISA and FEMA work with the Sector Risk Management Agency to ensure DHS Energy Sector policies, procedures, and guidance are compatible and do not contain conflicting terminology.
DHS agreed and said FEMA is updating the Response and Recovery Federal Interagency Operational Plans and will replace outdated references. Additionally, FEMA and CISA are nearing completion of the ESF-14 Joint Plan, which will expand on existing concepts and clarify cross-sector coordination procedures across supporting agencies. This is expected to be completed by December 30, 2022.